Author Topic: *stats.php - a tiny riddle  (Read 6891 times)

0 Members and 1 Guest are viewing this topic.

January 13, 2014, 02:54:09 am
Read 6891 times

michajp

  • Full Member

  • Offline
  • ***

  • 59
Something flying under the radar since at least December 2013 ...

Compromised legitimate websites containing inserted "*stats.php" links.
Details: http://michajp.blogspot.jp/2013/12/the-stats-which-arent.html

On _first_ access, user will be redirected to:
1.
Code: [Select]
hxxp://skriperstreet300.com/index.php

(Formerly also skriperstreet100 and skriperstreet200.)

From there, another URL is retrieved, sample:
2.
Code: [Select]
hxxp://skriperstreet300.com/1389580315/0ecca5400e5c2a0bcd6c01256de902fb.js

The .js contains another URL, leading to another set of URLs, example:
3.
Code: [Select]
zltxny.contractorchemist.pw/9-4fd5Y8-44f-f_17-2C186-d09U7Ge993b-af-d23Bc-aP.html
zltxny.contractorchemist.pw/418253043/1388286480.jar
zltxny.contractorchemist.pw/418253043/1388286480.pdf
zltxny.contractorchemist.pw/f/1388286480/418253043/6

The links in 2. and 3. seem to change with extreme speed. Only few minutes after grabbing code from "contractorchemist.pw", the domain was no more resolvable.